No software is 100% secure and WordPress is no exception to that rule. Powering nearly a quarter of all websites worldwide, the platform is naturally an irresistible target for hackers and has been the subject of many attacks over the years.
People who remember early security stumbles such as the various serious vulnerabilities discovered in 2009 may have long ago written the platform off as being inherently insecure – this would be wrong.
For every exploit or vulnerability which has caused issues, there’ve been dozens – if not hundreds – caught in time thanks to a combination of user reports, WordPress’ dedicated security team and the efforts of independent developers.
In this article we’ll cover five essential security measures you must master to keep your site safe and a range of handy plugin solutions to help you do so.
Let’s start with what you need to know.
- 1 1. Use Strong Usernames and Passwords
- 2 2. Secure Your Login Screen
- 3 3. Understand File and Folder Permissions
- 4 4. Backup, Backup, Backup
- 5 5. Keep WordPress up to Date
- 6 Don’t Worry, There’s a Plugin For That
- 7 Single-Purpose Solutions
- 8 BBQ: Block Bad Queries
- 9 Summary
1. Use Strong Usernames and Passwords
By far the most common and easily avoidable mistake people make when performing a WordPress install is not changing the default admin username.
The reason this should be done is simple: if someone’s trying to brute-force their way into your website, leaving the default username as it is basically takes one variable out of the equation and means the bad guys only need to guess your password.
Users have been able to choose their own admin username during setup since WordPress 3.0. If you didn’t get this option during the installation process and have been ignoring the WordPress update alerts on your dashboard, right now might be the perfect time to perform those upgrades and take care of business.
Your password is your second line of defense and, though I’m sure you’re tired of being told to pick strong passwords and use unique ones for every site, it’s really something you have to do. The minor amount of effort this requires when you go about it in an organized way is trivial compared to the hassle of trying to repair a compromised site.
A good password manager will almost always include strong password generation tools and will make managing your various logins a piece of cake. LastPass, Roboform and 1Password are all excellent options in this regard.
For an added layer of security, you should also enable two-factor authentication through the use of plugins such as iThemes security (covered in our list below). It’s easy for site owners to gloss over this step to make logging in for themselves as hassle-free as possible. You’ll be glad to have activated the option when you receive your first notifications about failed login attempts from unknown sources though.
2. Secure Your Login Screen
Even if your username/password combination is as secure as Fort Knox, a dedicated attacker could potentially gain access to your dashboard given enough time if your login screen isn’t secured against brute-force attacks.
An easy way to avoid this is to limit the number of login attempts allowed from any single source within a specific period of time. While the same IP address trying to log in time after time unsuccessfully could be attributed to someone having a lousy memory, it’s much more likely to be an attacker trying different permutations of usernames and passwords.
Your login screen also shouldn’t inform users which field they’ve made a mistake in if they fail to provide the right information. As mentioned up above, anything that potentially helps attackers narrow down their options by eliminating a variable is to be avoided.
Captchas can also be a valuable tool when securing login screens against attacks from bots. Although resourceful hackers have turned to farming captcha solution out to actual humans in order to brute-force sites in the past, they still help you set up a small roadblock and shouldn’t be overlooked – especially considering how easy they are to setup.
Another measure you can take is configuring notifications to be sent to you whenever there’s a login attempt that could be considered fishy. For example, are you supposed to be the only one with access to the dashboard? Then why is some guy in Russia trying to login at three in the morning? Installing a firewall to block IP addresses that have previously been blacklisted is also a sensible move. All of this can be achieved via the plugins we’ll list later.
3. Understand File and Folder Permissions
In the vast majority of cases, you shouldn’t need to mess around too much with WordPress defaults but it’s worth your while having at least a cursory understanding of file permission modes in general.
The two most common modes you will come across are 644 and 755. These are basically categories that determine the set of rules that govern each file or directory (i.e. who can read, open or modify files).
Files and directories categorized under the 644 mode can be read and written to (this is UNIX-speak for modified in any way) by their owner (the user on the server who created them) but only read by everyone else. This is the ideal setting for many types of files.
The 755 mode meanwhile is mostly used for folders since it allows all users to change into that directory. You’ll occasionally come across plugins that require certain folders to be set to 755.
File and folder permissions can be a head-melting topic if you are new to it but, if you remember nothing else, bear in mind that you should always avoid setting a permission mode to 777 – – even if a plugin explicitly asks you to – unless you know exactly what you’re doing.
This mode is basically a big no-no since it grants complete access to absolutely any user, allowing them to read, write to or delete directories at will and potentially cause all sorts of problems.
4. Backup, Backup, Backup
Even through I walk though the valley of the shadow of death, I will fear no evil, for I have dutifully performed backups.
Backups are such a simple yet crucial part of site security they should be preached as gospel.
In the unfortunate event of a security breach – catastrophic or otherwise – you’ll be enormously thankful you had adequate backups. Fail to get them in place in advance and the road back could be long and painful.
The only potential downside here is if you’re only performing backups semi-regularly where you risk potential data loss if backups are out of date. A weekly or bi-weekly backup should be more than enough for most websites and these can be automated through plugins so you don’t actually have to remember to perform them manually.
If you’re worried about maintaining a huge library of unnecessary backups, well, that could happen. But then again it’s 2015 – online and offline storage space are both ridiculously cheap and the cost involved is well worth the peace of mind it brings. Plus, you can always rotate the oldest snapshots out of storage once a set amount of time has passed to save on space.
5. Keep WordPress up to Date
We all know how annoying it can get to have to deal with “update available” notifications both for WordPress itself and all the plugins you have installed. However, there’s a reason why development teams go through the trouble of pushing out constant updates and it’s not just to include new features.
Despite how easy it is to use WordPress, it’s still a pretty complex CMS. When you add plugins on top of that, plus the interactions between them, you’re potentially opening up quite a large can of security vulnerabilities that developers need to stay on top of to protect their users.
Skipping that latest update can mean the difference between having a website with a glaring vulnerability that hackers would love to exploit or not.
While you’re at it, don’t skim over the changelogs either! You might miss important information about compatibility issues between plugins or WordPress versions. That’s the kind of stuff that can inadvertently break a website.
WordPress security releases are particularly important to pay attention to so take some time to check your site is up to date as often as possible.
Don’t Worry, There’s a Plugin For That
Alright, now you’ve got a basic understanding of the five basic security measures every WordPress site owner should be familiar with. You can find more great info on the WordPress site itself in the Hardening WordPress section of the Codex.
We’ll now turn our attention now to some of the best plugins available for helping you handle some of the heavy lifting around securing your site.
A quick word of warning before we proceed: as with any plugin, there’s a possibility – however remote – that turning on some of the features included within our selections will break or cause errors on your site. They’re generally easier to set up on new installs so, if you’re dealing with a live site, we recommend performing a complete backup before setting anything up.
Let’s look at our selection of five outstanding general WordPress security plugins.
1. Wordfence Security
Compatible up to: 4.3.1
Last updated: 2015-9-14
Rating: 4.9 out of 5 stars (with over a million installs)
Currently the most popular security plugin available for WordPress, Wordfence Security has both free and premium versions. It offers real-time blocking from malicious sources, login security, malware scans, a firewall, support for multi-site, and many other features.
Its monitoring options allow you to scan all of the traffic to your WordPress install in real time and split out humans, bots, login attempts and “site not found” errors.
Wordfence’s main selling point is how it leverages its gigantic base of active users in order to log malicious penetration attempts and block the sources from every other site on its “network”. In essence, the software becomes better at preventing attacks as more people install it.
2. iThemes Security
Compatible up to: 4.3.1
Last updated: 2015-9-15
Rating: 4.7 out of 5 stars (with 600,000+ installs)
Formerly known as Better WP Security, iThemes Security is an established WordPress security solution available in both free and premium versions and should be more than enough to cover most site owner’s bases.
Its features include two-factor authentication with Google Authenticator or Authy, malware scans, forced password expiration dates, file comparison, the ability to temporarily grant admin privileges to other users and detailed logs of users’ actions.
3. All In One WP Security & Firewall
Compatible up to: 4.3.1
Last Updated: 2015-9-18
Rating: 4.9 out of 5 stars (with 200,000+ installs)
A solution that lives up to its name. All In One WP Security & Firewall has a friendly interface that shows you a Security Strength Meter, a Security Points Breakdown and the status of critical features such as default usernames, login lockdowns, file permissions and a firewall.
Its features are divided into basic, intermediate and advanced sections for those who prefer fine-tuning and they include account and login security, registration security, database backup, file system protection, blacklisting, firewall functions, brute-force attack prevention and much more.
The plugin is also available in 11 languages making it an excellent option for multilingual sites.
4. BulletProof Security
Compatible up to: 4.3.1
Last updated: 2015-9-9
Rating: 4.7 out of 5 stars (with 100,000+ installs)
Bulletproof Security is a one-stop shop for solving some of the most common security flaws present in WordPress installs. It includes .htaccess protection, login security protocols, automatic database backups, HTTP error logs, authentication cookies expiration and a multitude of other features.
There’s also a professional premium version costing $59.95 which adds real-time file monitoring, intrusion detection & prevention systems, a firewall just for your plugins, anti-spam measures and 16 further separate plugins for modular coverage.
Setup of the plugin can be performed manually or through a one-click wizard that automatically turns every security feature on.
5. Sucuri Security
Compatible up to: 4.2.5
Last updated: 2015-7-30
Rating: 4.6 out of 5 stars (with 100,000+ installs)
Another solid general solution, Sucuri Security provides overall security auditing, file modifications and permissions, malware scanning, blacklists, a firewall, and notifications.
Notifications are delivered via email and you can set a maximum per hour, define a threshold of failed logins from the same IP address before they’re considered malicious, and be alerted of both successful and failed logins and post changes.
While our previously mentioned all-purpose plugins are great for most occasions, you may only be interested in securing a particular aspect of your website.
After all, configuring dozens of features can be a real hassle if you’re only interested in getting one particular job done. Here’s a quick round-up of three handy single-purpose solutions.
Compatible up to: 4.2.5
Last updated: 2015-7-8
Rating: 4.6 out of 5 stars (with 500,000+ installs)
WP-DB-Backup is very simple plugin which, as its name implies, allows you to perform backups of your core WordPress database files.
The developer made a conscious choice only to allow the backup of core database files since they’re the primary thing you’ll need to recover if your site is breached or falls over.
phpMyAdmin is required to restore your database from a backup, so make sure your hosting control panel includes it. (we’re 99.9% sure it will, but it never hurts to be careful).
2. Login Security Solution
Compatible up to: 4.2.5
Last updated: 2015-5-25
Rating: 4.3 out of 5 stars (with 20,000+ installs)
Login Security Solution is a simple plugin dedicated – as its name suggests – to securing your login screen. It’s built to detect anomalies within the process such as detecting login attempts made by “form-filler” programs, matching current login attempts to past ones and determining whether an account has been compromised. It can also analyze the strength of your passwords, force users to constantly change them and notify you whenever a breach is attempted.
BBQ: Block Bad Queries
Compatible up to: 4.3.1
Last updated: 2015-8-8
Rating: 5 out of 5 stars (with 50,000+ installs)
Block Bad Queries is the only member of either of our lists with a perfect review score – impressive even if we’re only talking about 35 reviews. It’s lightweight, easy to install and does just what it’s supposed to by screening your traffic and blocking bad queries or malicious URL requests.
If you’re going to take one thing away from this article, it should be this: don’t panic! Expanding your knowledge is the key to locking down your site and staying calm. Here’s a quick recap of our five essential security measures:
- Use strong usernames and passwords.
- Secure your login screen.
- Understand file and folder permissions.
- Backup your site.
- Keep WordPress up to date.
As a site owner or developer, there will always be vulnerabilities and attack vectors to worry about but it’s never been easier to maintain a secure WordPress install than it is today. The platform itself has been considerably hardened over the years and there are excellent plugin solutions such as the ones we outlined above to help you dial in your settings and sleep better at night.
Do you have any WordPress security tips you’d like to share? Let us know in the comments.
Article thumbnail image by sibgat / shutterstock.com.
Disclosure: If you purchase something after clicking links in the post, we may receive a commission. This helps us keep the free content and great resources flowing. Thank you for the support!
I’m happy to see Login Security Solution getting some recognition. It’s one of my favorite security-related plugins.
These are all great. Thanks for providing this detail!
However, WordPress can shut down most hack attempts with one fairly simple new feature, if they would ever offer it:
Specify Admin Directory Name: [_/wp-admin/_________]
Allow the person installing WP to change the default /wp-admin/ path to whatever they want. Since most hackbots are just running randomly through http://www.domain.com/wp-admin/ looking for a WP login form, this would shut most of them down and make their job a LOT harder.
Perhaps as an added option, allow the installing user to also keep a /wp-admin/ page that displays a dead login form to stall hackers (where clicking the Log In button allows them countless retries and keeps them in limbo).
As an extra precaution, maybe include a button labeled “Resend Login Info.” When clicked, the WP site would send to the administrator’s email (specified during configuration of WP) the correct login location — in case they’ve forgotten where to login.
I like this post. Which is the better security plugin that would have the least conflict with elegant themes plugins and other plugins that you know about?